LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2003, 05:28 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
LQ weekly security rep - Sep 25th 2003


Sep 22nd 2003
16 of 39 issues handled (SF)
2. Man Utility MANPL Environment Variable Buffer Overrun Vulnerability
3. myServer cgi-lib.dll Remote Buffer Overflow Vulnerability
4. vbPortal Authentication SQL Injection Vulnerability
12. DSPAM Insecure Default Permissions Privilege Escalation Vulnerability
16. ChatZilla Remote Denial of Service Attack
17. OpenSSH Buffer Mismanagement Vulnerabilities
18. Liquid War HOME Environment Variable Buffer Overflow Vulnerability
19. Spider HOME Environment Variable Heap Overflow Vulnerability
20. Spider OPENWINHOME/XVIEWHOME Environment Variables Buffer Overflow
24. KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerability
25. KDE KDM Session Cookie Generation Weakness
30. Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability
32. NetBSD Sysctl Argument Handling Vulnerabilities
35. Multiple Mambo Open Source 4.0.14 Server Vulnerabilities
37. Sendmail Ruleset Parsing Buffer Overflow Vulnerability
39. HLSW RCON Console Password Disclosure Weakness

Sep 22nd 2003
25 of 49 issues handled (ISS)
vbPortal auth.inc.php SQL injection
Spider remove_newlines function HOME buffer
OpenSSH large packet buffer overflow
Spider spider_defaults_objects_initialize function
Liquidwar buffer overflow
ChatZilla overly long string causes denial of
DSPAM insecure permissions could allow local
KDM pam_krb5 module configuration may allow local
Sendmail prescan function buffer overflow
KDM weak session cookie encryption
XFree86 weak session cookie encryption
OpenSSH buffer management errors could allow an
IBM DB2 dc2licm binary buffer overflow could allow
IBM DB2 db2dart binary buffer overflow could allow
Linux kernel proc.* sysctl tree denial of service
Linux kernel sysctl helper could allow an attacker
Mambo Site Server banners.php script could disclose
Mambo Site Server banners.php SQL injection
Mambo Site Server emailfriend scripts could allow a
Mambo Site Server contact.php script allows email
hztty multiple buffer overflows could allow
IBM DB2 Discovery Service denial of service caused
LSH heap overflow
myPHPNuke SQL injection $aid SQL injection
Midnight Commander vfs_s_resolve_symlink buffer

Sep 19th 2003
11 issues handled, 43 instances, 14 distro's(LAW)
OpenSSH
Exim
Gtkhtml
KDE
Kernel
Mana
MySQL
Pine
Sendmail
Sysctl
XFree86
 
Old 09-25-2003, 05:30 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393

Original Poster
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Sep 19th 2003 (LAW)

Linux Advisory Watch
Distribution: SCO

9/15/2003 - mana local vulnerability
There are multiple local environment variable vulnerabilities in mana.
http://www.linuxsecurity.com/advisor...sory-3622.html


Distribution: Conectiva

9/12/2003 - pine Multiple remote vulnerabilities
A buffer overflow and an integer overflow that can be exploited by
remote attackers through the sending of specially crafted messages have
been fixed.
http://www.linuxsecurity.com/advisor...sory-3616.html

9/12/2003 - gtkhtml Buffer overflow vulnerability
Multiple buffer overflow vulnerabilities existed that could be
exploited to at least crash programs linked to gtkhtml by using
malformed HTML. In the case of Evolution, a remote attacker can use an
HTML mail as an attack vector.
http://www.linuxsecurity.com/advisor...sory-3617.html

9/16/2003 - openssh buffer management error
This update fixes a potential remote vulnerability in the buffer
handling code of OpenSSH.
http://www.linuxsecurity.com/advisor...sory-3623.html

9/17/2003 - openssh Remote vulnerabilities
This update fixes new vulnerabilities found in the code that handles
buffers in OpenSSH. These vulnerabilities are similiar to the ones
fixed in the CLSA-2003:739 announcement and can be exploited by a
remote attacker to cause a denial of service condition and potentially
execute arbitrary code
http://www.linuxsecurity.com/advisor...sory-3648.html

9/18/2003 - sendmail buffer overflow vulnerabilities
Michal Zalewski reported a remote vulnerability in sendmail versions
8.12.9 and earlier.
http://www.linuxsecurity.com/advisor...sory-3656.html

9/18/2003 - MySQL Multiple vulnerabilities
World writable configuration files, a double-free vulnerability, and a
password handler buffer overflow have been fixed in this update.
http://www.linuxsecurity.com/advisor...sory-3658.html


Distribution: Debian
9/12/2003 - xfree86 Multiple vulnerabilities
Four vulnerabilities have been identified and fixed in XFree86
including potential denial of service vulnerability.
http://www.linuxsecurity.com/advisor...sory-3618.html

9/15/2003 - mysql buffer overflow vulnerability
MySQL contains a buffer overflow condition which could be exploited by
a user who has permission to execute "ALTER TABLE" commands on the
tables in the "mysql" database.
http://www.linuxsecurity.com/advisor...sory-3619.html

9/16/2003 - ssh buffer management error
A bug has been found in OpenSSH's buffer handling where a buffer could
be marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisor...sory-3624.html

9/17/2003 - openssh multiple vulnerabilities
This advisory is an addition to the earlier DSA-382-1 advisory: two
more buffer handling problems have been found in addition to the one
described in DSA-382-1
http://www.linuxsecurity.com/advisor...sory-3633.html

9/17/2003 - openssh-krb5 buffer handling vulnerability multiple vulnerabilities
Several bugs have been found in OpenSSH's buffer handling. It is not
known if these bugs are exploitable, but as a precaution an upgrade is
advised.
http://www.linuxsecurity.com/advisor...sory-3634.html

9/18/2003 - sendmail buffer overlow vulnerabilities
There are multiple buffer overflow vulnerabilities in the sendmail
package.
http://www.linuxsecurity.com/advisor...sory-3651.html


Distribution: EnGarde

9/16/2003 - OpenSSH buffer management error
The OpenSSH daemon shipped with all versions of EnGarde Secure Linux
contains a potentially exploitable buffer management error.
http://www.linuxsecurity.com/advisor...sory-3621.html

9/18/2003 - Additional 'OpenSSH' buffer management bugs
After the release of ESA-20030916-023, the OpenSSH team discovered more
buffer management bugs (fixed in OpenSSH 3.7.1) of the same type.
Additionally, Solar Designer fixed additional bugs of this class. His
fixes are included in this update.
http://www.linuxsecurity.com/advisor...sory-3649.html
9/18/2003 - 'MySQL' buffer overflow
The MySQL daemon contains a buffer overflow which may be exploited by
any user who has ALTER TABLE permissions on the "mysql" database.
http://www.linuxsecurity.com/advisor...sory-3650.html


Distribution: FreeBSD

9/16/2003 - buffer management error
A bug has been found in OpenSSH's buffer handling where a buffer could
be marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisor...sory-3625.html

9/17/2003 - sendmail Multiple overflow vulnerabilities
A buffer overflow that may occur during header parsing was identified.
An attacker could create a specially crafted message that may cause
sendmail to execute arbitrary code with the privileges of the user
running sendmail, typically root.
http://www.linuxsecurity.com/advisor...sory-3647.html


Distribution: Gentoo

9/15/2003 - mysql buffer overflow vulnerability
Anyone with global administrative privileges on a MySQL server may
execute arbitrary code even on a host he isn't supposed to have a shell
on, with the privileges of the system account running the MySQL server.
http://www.linuxsecurity.com/advisor...sory-3620.html

9/16/2003 - exim buffer overflow vulnerability
There's a heap overflow in all versions of exim3 and exim4 prior to
version 4.21. It can be exercised by anyone who can make an SMTP
connection to the exim daemon.
http://www.linuxsecurity.com/advisor...sory-3626.html

9/16/2003 - openssh Buffer management error
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management
error. It is uncertain whether this error is potentially exploitable,
however, we prefer to see bugs fixed proactively.
http://www.linuxsecurity.com/advisor...sory-3629.html

9/17/2003 - sendmail Buffer overflow vulnerabilities
Fix a buffer overflow in address parsing. Fix a potential buffer
overflow in ruleset parsing. This problem is not exploitable in the
default sendmail configuration.
http://www.linuxsecurity.com/advisor...sory-3646.html

Distribution: Immunix
9/16/2003 - openssh buffer management error
A bug has been found in OpenSSH's buffer handling where a buffer could
be marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisor...sory-3627.html

9/17/2003 - openssh buffer management error
This advisory has been updated to reflect that the OpenSSH team has
found more instances of the programming idiom in question in their
codebase.
http://www.linuxsecurity.com/advisor...sory-3635.html

9/18/2003 - sendmail buffer overflow vulnerabilities
Michal Zalewski discovered flaws in sendmail's prescan() function.
http://www.linuxsecurity.com/advisor...sory-3652.html


Distribution: NetBSD

9/17/2003 - openssh buffer overflow vulnerability
A buffer overwrite with unknown consequences has been found in OpenSSH.
http://www.linuxsecurity.com/advisor...sory-3636.html

9/17/2003 - kernel memory disclosure vulnerability
The iBCS2 system call translator for statfs erroneously used the
user-supplied length parameter when copying a kernel data structure
into userland.
http://www.linuxsecurity.com/advisor...sory-3637.html

9/17/2003 - sysctl multiple vulnerabilities
Three unrelated problems with inappropriate argument handling were
found in the kernel sysctl code, which could be exploited by malicious
local user.
http://www.linuxsecurity.com/advisor...sory-3638.html


Distribution: RedHat

9/16/2003 - openssh buffer management error
A bug has been found in OpenSSH's buffer handling where a buffer could
be marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisor...sory-3628.html

9/16/2003 - KDE Multiple vulnerabilities
Updated KDE packages that resolve a local security issue with KDM PAM
support and weak session cookie generation are now available.
http://www.linuxsecurity.com/advisor...sory-3631.html

9/17/2003 - OpenSSH Buffer manipulation vulnerabilities
Updated packages are now available to fix additional buffer
manipulation problems which were fixed in OpenSSH 3.7.1.
http://www.linuxsecurity.com/advisor...sory-3644.html

9/17/2003 - sendmail Multiple overflow vulnerabilities
Updated Sendmail packages that fix a potentially-exploitable
vulnerability are now available. The sucessful exploitation of this bug
can lead to heap and stack structure overflows.
http://www.linuxsecurity.com/advisor...sory-3645.html


Distribution: Slackware

9/16/2003 - openssh Buffer management error
These fix a buffer management error found in versions of OpenSSH
earlier than 3.7. The possibility exists that this error could allow a
remote exploit, so we recommend all sites running OpenSSH upgrade to
the new OpenSSH package immediately.
http://www.linuxsecurity.com/advisor...sory-3630.html

9/17/2003 - openssh buffer management errors
These packages fix additional buffer management errors that were not
corrected in the recent 3.7p1 release.
http://www.linuxsecurity.com/advisor...sory-3639.html

9/17/2003 - sendmail multiple vulnerabilities
There are multiple vulnerabilities in the sendmail package.
http://www.linuxsecurity.com/advisor...sory-3640.html


Distribution: SuSE

9/16/2003 - openssh Buffer management vulnerability
A programming error has been found in code responsible for buffer
management. If exploited by a (remote) attacker, the error may lead to
unauthorized access to the system, allowing the execution of arbitrary
commands.
http://www.linuxsecurity.com/advisor...sory-3632.html

9/18/2003 - openssh management errors
A programming error has been found in code responsible for buffer
management.
http://www.linuxsecurity.com/advisor...sory-3657.html


Distribution: Trustix

9/17/2003 - openssh buffer management error
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management
errors.
http://www.linuxsecurity.com/advisor...sory-3641.html

9/17/2003 - mysql buffer overflow vulnerability
Fixed buffer overflow in SET PASSWORD which could potentially be
exploited by MySQL users with root privileges to execute random code or
to gain shell access.
http://www.linuxsecurity.com/advisor...sory-3642.html


Distribution: TurboLinux

9/17/2003 - openssh buffer management error
This vulnerability may allow a remote attacker to execute arbitrary
code.
http://www.linuxsecurity.com/advisor...sory-3643.html

9/18/2003 - sendmail buffer overflow vulnerabilities
The potential buffer overflows are in ruleset parsing and address
parsing for sendmail.
http://www.linuxsecurity.com/advisor...sory-3653.html


Distribution: YellowDog

9/18/2003 - openssh buffer management errors
Updated packages are now available to fix additional buffer
manipulation problems which were fixed in OpenSSH 3.7.1.
http://www.linuxsecurity.com/advisor...sory-3654.html

9/18/2003 - sendmail buffer overflow vulnerabilities
Michal Zalewski found a bug in the prescan() function of unpatched
Sendmail versions prior to 8.12.10.
http://www.linuxsecurity.com/advisor...sory-3655.html
 
Old 09-25-2003, 05:32 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393

Original Poster
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Sep 22nd 2003 (ISS)

Internet Security Systems



Date Reported: 09/12/2003
Brief Description: vbPortal auth.inc.php SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, vbPortal 2.0
alpha 8.1, Windows Any version
Vulnerability: vbportal-authinc-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13181

Date Reported: 09/14/2003
Brief Description: Spider remove_newlines function HOME buffer
overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Spider 1.1, Unix Any version
Vulnerability: spider-removenewlinesfunction-home-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13190

Date Reported: 09/16/2003
Brief Description: OpenSSH large packet buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Cisco CatOS Any version, CiscoWorks 1105 HSE Any
version, CiscoWorks 1105 WLSE Any version,
CiscoWorks SN 5428 Storage Router 2-3.3.1-K9,
CiscoWorks SN 5428 Storage Router 2-3.3.2-K9,
CiscoWorks SN 5428 Storage Router 2.5.1-K9,
CiscoWorks SN 5428 Storage Router 3.2.1-K9,
CiscoWorks SN 5428 Storage Router 3.2.2-K9,
CiscoWorks SN 5428 Storage Router 3.3.1-K9,
CiscoWorks SN 5428 Storage Router 3.3.2-K9,
Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Debian Linux 3.0, EnGarde Secure Linux
Community Edition, EnGarde Secure Linux
Professional Edition, FreeBSD 4.0-Stable, Gentoo
Linux Any version, Immunix OS 7+-beta, Immunix OS
7+-beta, Immunix OS 7+-beta, NetBSD 1.5, NetBSD
1.5.1, NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6,
NetBSD 1.6.1, NetBSD-current pre20030917, OpenSSH
prior to 3.7, Red Hat Advanced Workstation 2.1, Red
Hat Enterprise Linux 2.1AS, Red Hat Enterprise
Linux 2.1ES, Red Hat Enterprise Linux 2.1WS, Red
Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 7.x, Red Hat Linux 8.0, Red Hat
Linux 9, Slackware Linux 8.1, Slackware Linux 9.0,
Slackware Linux current, SuSE eMail Server 3.1,
SuSE eMail Server III Any version, SuSE Linux 7.2,
SuSE Linux 7.3, SuSE Linux 8.0, SuSE Linux 8.1,
SuSE Linux 8.2, SuSE Linux Standard Server 8, SuSE
Linux Connectivity Server Any version, SuSE Linux
Database Server Any version, SuSE Linux Enterprise
Server 7, SuSE Linux Enterprise Server 8, SuSE
Linux Firewall Any version, SuSE Linux Office
Server Any version, Trustix Secure Linux 1.2,
Trustix Secure Linux 1.5, Trustix Secure Linux 2.0,
Turbolinux 7 Server, Turbolinux 7 Workstation,
Turbolinux 8 Server, Turbolinux 8 Workstation,
TurboLinux Advanced Server 6, Turbolinux Server
6.1, Turbolinux Server 6.5, Turbolinux Workstation
Vulnerability: openssh-packet-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13191

Date Reported: 09/14/2003
Brief Description: Spider spider_defaults_objects_initialize function
OPENWINHOME or XVIEWHOME buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Spider 1.1, Unix Any version
Vulnerability: spider-spiderdefaultsobjectsinitalize-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13192

Date Reported: 09/16/2003
Brief Description: Liquidwar buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Liquidwar 5.4.5
Vulnerability: liquidwar-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13193

Date Reported: 09/14/2003
Brief Description: ChatZilla overly long string causes denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: ChatZilla 0.8.23 and earlier, Linux Any version
Vulnerability: chatzilla-string-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13196
Date Reported: 09/16/2003
Brief Description: DSPAM insecure permissions could allow local
attacker to gain elevated privileges
Risk Factor: High
Attack Type: Host Based
Platforms: DSPAM 2.6.5, DSPAM 2.6.5.1, Unix Any version
Vulnerability: dspam-insecure-permissions
X-Force URL: http://xforce.iss.net/xforce/xfdb/13197

Date Reported: 09/16/2003
Brief Description: KDM pam_krb5 module configuration may allow local
attacker to gain root privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, Debian
Linux 3.0, K Desktop Environment (KDE) 3.1.3 and
earlier, K Desktop Environment (KDE) 3.1.3 and
earlier, K Desktop Environment (KDE) 3.1.3 and
earlier, Linux Any version, Red Hat Advanced
Workstation 2.1, Red Hat Enterprise Linux 2.1AS,
Red Hat Enterprise Linux 2.1ES, Red Hat Linux 7.1,
Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux
8.0, Red Hat Linux 9
Vulnerability: kdm-pamkrb5-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/13203

Date Reported: 09/17/2003
Brief Description: Sendmail prescan function buffer overflow
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Debian Linux 3.0, Gentoo Linux Any
version, Immunix OS 7+-beta, Immunix OS 7+-beta,
Immunix OS 7+-beta, Red Hat Advanced Workstation
2.1, Red Hat Enterprise Linux 2.1AS, Red Hat
Enterprise Linux 2.1ES, Red Hat Enterprise Linux
2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red
Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9,
Sendmail 8.12.9 and earlier, Slackware Linux 8.1,
Slackware Linux 9.0, Slackware Linux current, SuSE
Linux 7.2, SuSE Linux 7.3, SuSE Linux 8.0, SuSE
Linux 8.1, SuSE Linux 8.2, SuSE Linux Connectivity
Server Any version, SuSE Linux Database Server Any
version, SuSE Linux Enterprise Server 7, SuSE Linux
Enterprise Server 8, SuSE Linux Firewall Any
version, SuSE Linux Office Server Any version,
Turbolinux 7 Server, Turbolinux 7 Workstation,
Turbolinux 8 Server, Turbolinux 8 Workstation,
TurboLinux Advanced Server 6, Turbolinux Server
6.1, Turbolinux Server 6.5, Turbolinux Workstation
6.0
Vulnerability: sendmail-prescan-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13204

Date Reported: 09/16/2003
Brief Description: KDM weak session cookie encryption
Risk Factor: Low
Attack Type: Network Based
Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, Debian
Linux 3.0, K Desktop Environment (KDE) 3.1.3 and
earlier, K Desktop Environment (KDE) 3.1.3 and
earlier, K Desktop Environment (KDE) 3.1.3 and
earlier, Linux Any version, Red Hat Advanced Server
2.1AS, Red Hat Advanced Workstation 2.1, Red Hat
Enterprise Linux 2.1ES, Red Hat Enterprise Linux
2.1WS, Red Hat Linux 7.1, Red Hat Linux 7.2, Red
Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9
Vulnerability: kdm-cookie-weak-encryption
X-Force URL: http://xforce.iss.net/xforce/xfdb/13205

Date Reported: 09/17/2003
Brief Description: XFree86 weak session cookie encryption
Risk Factor: Low
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, XFree86 4.x
Vulnerability: xfree-cookie-weak-encryption
X-Force URL: http://xforce.iss.net/xforce/xfdb/13213

Date Reported: 09/17/2003
Brief Description: OpenSSH buffer management errors could allow an attacker to execute code
Risk Factor: High
Attack Type: Network Based
Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Debian Linux 3.0, EnGarde Secure Linux
1.0.1, EnGarde Secure Linux Community Edition,
EnGarde Secure Linux Professional Edition, OpenPKG
1.2, OpenPKG 1.3, OpenPKG CURRENT, OpenSSH prior to
3.7.1, Red Hat Advanced Workstation 2.1, Red Hat
Enterprise Linux 2.1AS, Red Hat Enterprise Linux
2.1ES, Red Hat Enterprise Linux 2.1WS, Red Hat
Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3,
Red Hat Linux 8.0, Red Hat Linux 9, Slackware Linux
8.1, Slackware Linux 9.0, Slackware Linux current,
SuSE eMail Server 3.1, SuSE eMail Server III Any
version, SuSE Linux 7.2, SuSE Linux 7.3, SuSE Linux
8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux
Standard Server 8, SuSE Linux Connectivity Server
Any version, SuSE Linux Database Server Any
version, SuSE Linux Enterprise Server 7, SuSE Linux
Enterprise Server 8, SuSE Linux Firewall Any
version, SuSE Linux Office Server Any version,
Trustix Secure Linux 1.2, Trustix Secure Linux 1.5,
Trustix Secure Linux 2.0
Vulnerability: openssh-buffer-code-execution
X-Force URL: http://xforce.iss.net/xforce/xfdb/13215

Date Reported: 09/18/2003
Brief Description: IBM DB2 dc2licm binary buffer overflow could allow
execution of code
Risk Factor: High
Attack Type: Host Based
Platforms: IBM DB2 7.2 for Linux, Linux Any version
Vulnerability: ibm-db2-db2licm-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13217

Date Reported: 09/18/2003
Brief Description: IBM DB2 db2dart binary buffer overflow could allow
execution of code
Risk Factor: High
Attack Type: Host Based
Platforms: IBM DB2 7.2 for Linux, Linux Any version
Vulnerability: ibm-db2-db2dart-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13218

Date Reported: 09/18/2003
Brief Description: Linux kernel proc.* sysctl tree denial of service
Risk Factor: Low
Attack Type: Host Based
Platforms: Linux kernel Any version, NetBSD 1.5, NetBSD 1.5.1,
NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6, NetBSD
1.6.1, NetBSD-current pre20030825
Vulnerability: linux-proc-sysctl-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13235

Date Reported: 09/18/2003
Brief Description: Linux kernel sysctl helper could allow an attacker
to read kernel memory
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux kernel Any version, NetBSD 1.5, NetBSD 1.5.1,
NetBSD 1.5.2, NetBSD 1.5.3, NetBSD 1.6, NetBSD
1.6.1, NetBSD-current pre20030825
Vulnerability: linux-helper-read-memory
X-Force URL: http://xforce.iss.net/xforce/xfdb/13236

Date Reported: 09/18/2003
Brief Description: Mambo Site Server banners.php script could disclose
sensitive information
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, Mambo Site
Server 4.0.14, Solaris Any version, Windows Any
version
Vulnerability: mambo-bannersphp-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/13237

Date Reported: 09/18/2003
Brief Description: Mambo Site Server banners.php SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, Mambo Site
Server 4.0.14, Solaris Any version, Windows Any
version
Vulnerability: mambo-banners-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13238

Date Reported: 09/18/2003
Brief Description: Mambo Site Server emailfriend scripts could allow a
remote attacker to obtain sensitive information
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, Mambo Site
Server 4.0.14, Solaris Any version, Windows Any
version
Vulnerability: mambo-emailfriend-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/13239

Date Reported: 09/18/2003
Brief Description: Mambo Site Server contact.php script allows email
to be sent anonymously
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, Mambo Site
Server 4.0.14, Solaris Any version, Windows Any
version
Vulnerability: mambo-contact-anonymous-email
X-Force URL: http://xforce.iss.net/xforce/xfdb/13240

Date Reported: 09/19/2003
Brief Description: hztty multiple buffer overflows could allow
execution of code with root privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Debian Linux 3.0, hztty Any version, Linux Any
version, Unix Any version
Vulnerability: hztty-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13243

Date Reported: 09/19/2003
Brief Description: IBM DB2 Discovery Service denial of service caused
by specially-crafted packet
Risk Factor: Low
Attack Type: Network Based
Platforms: IBM DB2 7.2, Linux Any version
Vulnerability: db2-discoveryservice-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13244

Date Reported: 09/20/2003
Brief Description: LSH heap overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, LSH 1.5, LSH 1.5.1, LSH 1.5.2,
LSH prior to 1.4.3, Unix Any version
Vulnerability: lsh-heap-overflow
X-Force URL: http://xforce.iss.net/xforce/xfdb/13245

Date Reported: 09/20/2003
Brief Description: myPHPNuke SQL injection $aid SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, myPHPNuke 1.8.8, Unix Any
version, Windows Any version
Vulnerability: myphpnuke-aid-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13246

Date Reported: 09/19/2003
Brief Description: Midnight Commander vfs_s_resolve_symlink buffer
overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Midnight Commander 4.5.52
through 4.6.0, Unix Any version
Vulnerability: midnight-commander-vfssresolvesymlink-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13247
 
Old 09-25-2003, 05:35 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393

Original Poster
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Sep 22nd 2003 (SF)

SecurityFocus


2. Man Utility MANPL Environment Variable Buffer Overrun Vulner...
BugTraq ID: 8602
Remote: No
Date Published: Sep 12 2003
Relevant URL: http://www.securityfocus.com/bid/8602
Summary:
The man utility is used for formatting and displaying various system
manuals and documentation. It is possible to specify the length of lines
to display using the MANPL environment variables.

It has been reported that the man utility may be prone to a buffer overrun
conditon, when handling environment variable data. The problem is said to
specifically occur due to insufficient bounds checking when handling data
stored within the MANPL variable.

As a result of this issue, a local attacker may be capable of executing
arbitrary code with the privileges of man, typically setgid 'man'. This
could be accomplished by placing approximately 128 or more bytes of data,
within the affected environment variable, and invoking man.

It should be noted that some vendors are said to apply a patch to affected
man releases, however some systems may still deploy the vulnerable version
with setgid privileges.

3. myServer cgi-lib.dll Remote Buffer Overflow Vulnerability
BugTraq ID: 8612
Remote: Yes
Date Published: Sep 12 2003
Relevant URL: http://www.securityfocus.com/bid/8612
Summary:
myServer is an application and web server for Microsoft Windows and Linux
operating systems.

myServer has been reported prone to a remote buffer overflow
vulnerability. This issue is reported to exist in the cgi-lib.dll file.

The issue presents itself when the software attempts to process string
values of excessive length for URI variables. This will cause adjacent
regions of memory to be corrupted with data contained in the malicious
string. This will likely result in a crash due to the server attempting
to dereference an invalid memory address. However, it is possible that
this vulnerability may also allow the execution of arbitrary instructions
since the attacker may be able to leverage memory corruption to control
execution flow of the server process. Any instructions carried out
through this vulnerability would be with the privileges of the web server
process. However, the possibility of code execution has not been
confirmed.

This vulnerability was reported for myServer version 0.4.3 and earlier.

4. vbPortal Authentication SQL Injection Vulnerability
BugTraq ID: 8613
Remote: Yes
Date Published: Sep 12 2003
Relevant URL: http://www.securityfocus.com/bid/8613
Summary:
vbPortal is a portal application which can be used in conjunction with
vbBulletin forums.

It has been reported that vbPortal is prone to SQL injection attacks when
authentication users. The problem occurs due to insufficient sanitization
of the $aid variable, used to store the name of the authenticating user.
Specifically, slashes are not placed into the value of $aid to terminate
any control characters after the data has been base64 decoded. The
exploitable SQL query can be seen below:

$result=mysql_query("SELECT password as pwd FROM user WHERE username =
'$aid'");

As a result, an attacker may supply data within the username designed to
prematurely terminate the string, and influence the logic of this SQL
query. This may be exploited to expose sensitive information, or
potentially to launch attacks against the underlying database.

This issue can be exploited by making a malicious HTTP request to the
auth.inc.php script, including a base64 encoded payload embedded within
the 'admin' URI parameter.

12. DSPAM Insecure Default Permissions Privilege Escalation Vuln...
BugTraq ID: 8623
Remote: No
Date Published: Sep 15 2003
Relevant URL: http://www.securityfocus.com/bid/8623
Summary:
DSPAM is an anti-spam application designed for use with most Unix mail
applications. Beginning with DSPAM 2.6.5, an option was included in the
program that allows a user to supply a delivery agent and quarantine agent
via the command-line.

A vulnerability has been reported for DSPAM that may allow an attacker to
execute arbitrary code with elevated privileges. The issue lies in the
fact that DSPAM is installed world-executable and setgid by default.

As a result, an unprivileged attacker may supply a malicious executable to
the application, as an argument when specifying a delivery or quarantine
agent. When invoked, the executable will be run with the group privileges
of DSPAM, typically mail.

This privilege escalation could assist in further attacks launched against
a target system.

16. ChatZilla Remote Denial of Service Attack
BugTraq ID: 8627
Remote: Yes
Date Published: Sep 15 2003
Relevant URL: http://www.securityfocus.com/bid/8627
Summary:
ChatZilla is an IRC-client for Linux operating systems. ChatZilla is
based on JavaScript and XUL and it is shipped with Mozilla web browser.

A vulnerability has been reported to exist in the software, that may allow
a remote attacker to cause a denial of service condition in ChatZilla.
The issue presents itself when a remote attacker posing as an IRC server
sends specially crafted requests containing long string values to a
vulnerable system. The attack may cause the software to behave in an
unstable manner leading to a crash.

Successful exploitation of this vulnerability may allow a remote attacker
to cause the vulnerable software to crash.

It is not known if this condition could also be exploited to execute
arbitrary code on the client.

ChatZilla versions 0.8.23 and prior are reported to be prone to this
issue.

17. OpenSSH Buffer Mismanagement Vulnerabilities
BugTraq ID: 8628
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8628
Summary:
A buffer mismanagement vulnerability has been reported in OpenSSH. This
issue exists in the 'buffer.c' source file.

The source of a problem is that a buffer structure size value may be
expanded before the program attempts to reallocate the buffer using this
size. If the expanded buffer size triggers a call to fatal(), a series of
cleanup functions registered by the daemon will be called prior to exiting
the program. As one of these functions may then reference the data within
the buffer, including the unused expanded value, a miscalculation could
potentially occur. Depending on how the cleanup functions reference this
data, it may be theoretically possible for heap-based memory to be
corrupted. This condition can reportedly be triggered by an overly large
packet.

External sources, including the vendor, do not believe that this issue
could be exploited to execute arbitrary code though it may potentially be
used to cause a denial of service.

There are also unconfirmed rumors of an exploit for this vulnerability
circulating in the wild. The impact may be reduced by the implementation
of privilege separation on affected versions of OpenSSH.

OpenSSH has revised their advisory, pointing out a similar issue in the
channels.c source file and an additional issue. Solar Designer has also
reportedly pointed out additional instances of the problem that may also
present vulnerabilities. Individual BIDs will be created for these
additional issues when further analysis is complete.

18. Liquid War HOME Environment Variable Buffer Overflow Vulnera...
BugTraq ID: 8629
Remote: No
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8629
Summary:
Liquid War is multiplayer computer game available for multiple platforms.

Liquid War has been reported prone to a buffer overflow condition when
handling HOME environment variables of excessive length.

The issue presents itself, due to a lack of sufficient boundary checks
performed on data contained in the HOME environment variable before it is
copied into a reserved buffer in stack based memory. Data that exceeds the
size of the affected buffer may overrun its bounds and corrupt adjacent
memory. It has been reported that a local attacker may exploit this
condition to execute arbitrary instructions with GID Games privileges.

It should be noted that although this vulnerability has been reported to
affect Liquid War version 5.4.5 other versions might also be affected.

19. Spider HOME Environment Variable Heap Overflow Vulnerability...
BugTraq ID: 8630
Remote: No
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8630
Summary:
Spider is a solitaire game for the X Window System. It is distributed as
part of the Debian Linux distribution.

Spider has been reported prone to a heap overflow condition when handling
HOME environment variables of excessive length.

The issue presents itself, because a call to calloc() allocates
'(strlen(str) + 256)' bytes as a buffer size, it is possible for an
attacker to trigger the allocation of an insufficient buffer, by crafting
a value for the 'str' variable that contains, '~/' sequences, these
sequences will later be expanded to equal the data contained in the 'HOME'
environment variable. An attacker may lever this condition to corrupt
adjacent malloc chunk headers with attacker-supplied data.

Although unconfirmed ultimately it may be possible that a local attacker
may exploit this condition to execute arbitrary instructions with GID
Games privileges.

It should be noted that although this vulnerability has been reported to
affect Spider version 1.1 other versions might also be affected.

20. Spider OPENWINHOME/XVIEWHOME Environment Variables Buffer Ov...
BugTraq ID: 8631
Remote: No
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8631
Summary:
Spider is a solitaire game for the X Window System. It is distributed as
part of the Debian Linux distribution.

Spider has been reported prone to a buffer overflow condition when
handling OPENWINHOME or XVIEWHOME environment variables of excessive
length.

The issue presents itself, due to a lack of sufficient boundary checks
performed on data contained in the OPENWINHOME or XVIEWHOME environment
variables before they are copied as part of an interpolated string into a
reserved 256 byte buffer in stack based memory.

Data that exceeds the size of the affected buffer may overrun its bounds
and corrupt adjacent memory. It has been reported that a local attacker
may exploit this condition to execute arbitrary instructions with GID
Games privileges.

It should be noted that although this vulnerability has been reported to
affect Spider version 1.1 other versions might also be affected.

24. KDE KDM PAM Module PAM_SetCred Privilege Escalation Vulnerab...
BugTraq ID: 8635
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8635
Summary:
KDM is the KDE Display Manager, a component of the KDE Desktop
Environment. It is available for Linux/Unix operating systems. KDM
provides a graphical login interface for KDE.

A problem has been reported in the KDE Display Manager (KDM) when used in
combination with Pluggable Authentication Modules (PAM). Because of this,
an attacker may be able to gain unauthorized access to systems.

The problem is in the handling of specific authentication requests passed
through pam_setcred. Under some circumstances, the results of the
pam_setcred call is not checked. An attacker could create a malicious
request that circumvents authentication checking to gain unauthorized
access to a system.

It should be noted that this problem occurs when KDM is used in
combination with the pam_krb5 module.

25. KDE KDM Session Cookie Generation Weakness
BugTraq ID: 8636
Remote: Yes
Date Published: Sep 16 2003
Relevant URL: http://www.securityfocus.com/bid/8636
Summary:
KDM is the KDE Display Manager, a component of the KDE Desktop
Environment. It is available for Linux/Unix operating systems. KDM
provides a graphical login interface for KDE.

KDM uses a weak algorithm to generate session cookies. In particular, the
session cookie generation algorithm is not sufficient for generating 128
bits of entropy. This may potentially make brute-forcing of session
cookies a practical endeavor, inevitably enabling an adversary to hijack a
KDM user session.

For exploitation to be successful, the adversary must also be able to
bypass any host-based restrictions. It is most likely that a malicious
local user could potentially exploit this to gain unauthorized access to
another user's existing session.

30. Sendmail Prescan() Variant Remote Buffer Overrun Vulnerabili...
BugTraq ID: 8641
Remote: Yes
Date Published: Sep 17 2003
Relevant URL: http://www.securityfocus.com/bid/8641
Summary:
Sendmail is prone to a buffer overrun vulnerability in the prescan()
function. This issue is different than the vulnerability described in BID
7230. The issue exists in the parseaddr.c source file and could allow for
corruption of stack or heap memory depending on where in the code the
function is called from. One possible attack vector is if the function is
indirectly invoked via parseaddr(), though others may also exist.

This vulnerability could permit remote attackers to execute arbitrary code
via vulnerable versions of Sendmail. This would occur with the privileges
of the server.

The vendor has reported that versions prior to version 8.12.10, are
vulnerable. Additionally it has been reported that commercial releases
including all versions of Sendmail Advanced Message Server, Sendmail Pro,
Sendmail Switch and Sendmail for NT are also vulnerable.

32. NetBSD Sysctl Argument Handling Vulnerabilities
BugTraq ID: 8643
Remote: No
Date Published: Sep 18 2003
Relevant URL: http://www.securityfocus.com/bid/8643
Summary:
Multiple vulnerabilities have been reported in the sysctl system call for
NetBSD systems.

A kernel panic could be the result of some sysctl nodes attempting to
dereference a NULL pointer. In particular, a pointer variable was
mistakenly used for pointing to a user-level and a kernel level address.
A NULL pointer could be set to the variable by a user, potentially causing
a kernel panic and denying service to legitimate users of the system.

If the process ID of a zombie process is passed to the system call, this
could cause a kernel panic. This could occur if the proc.* sysctl tree is
invoked on a zombie process, which would have invalid or non-existent
process information. This could potentially be exploited by a user to
cause a kernel panic, denying service to legitimate users of the system.

Some sysctl nodes do not implement sufficient range checking, potentially
allowing kernel memory to be read. The proc.curproc.rlimit subtree has a
number of nodes that contain information about process limits. sysctl
provides a helper that is used to manipulate these values, which does not
implement sufficient range checking, potentially allowing values outside
of the rlimit structure to be read. This could permit a local user to
browse kernel memory, potentially gaining access to sensitive information
such as credentials. This issue may be similar to the vulnerability
described in BID 2364, which affects the Linux kernel.

It is not known if other BSD derivatives are similarly affected by these
issues.

These issues will be separated into individual BIDs when further analysis
is complete.

35. Multiple Mambo Open Source 4.0.14 Server Vulnerabilities
BugTraq ID: 8647
Remote: Yes
Date Published: Sep 18 2003
Relevant URL: http://www.securityfocus.com/bid/8647
Summary:
Mambo Open Source is a web based content management system.

Several issues have been identified in Mambo Open Source Server. Because
of these issues, an attacker may be able to gain unauthorized access to
sensitive data and/or send e-mail/spam to arbitrary recipients. The
vulnerabilities are caused by insufficient sanitization of user-supplied
data.

The following problems have been reported to exist:

Multiple SQL injection vulnerabilities may exist in the banners.php and
emailfriend/emailarticle.php modules of the software allow a remote
attacker to inject malicious SQL syntax into database queries. A remote
attacker may exploit the issues to influence SQL query logic.

These issues may allow an attacker to gain access to sensitive data stored
in the database. Other attacks on the underlying database are possible as
well.

An input validation issue has been reported in the sendmail function of
contact.php module of the software. It is possible for a remote attacker
to exploit this lack of input validation to send anonymous e-mail to
arbitrary recipients, possibly in large volumes. The may be accomplished
by passing URL arguments to the following parameters in order to send
email to recipients: $text, $from, $name, $email_to, and $sitename.

This issue may allow an attacker to conceal their identity and send
e-mail/spam to arbitrary recipients.

Mambo Open Source Server 4.0.14 has been reported to be prone to this
problem, however other versions may be affected as well.

This BID will be divided into individual BIDs when further analysis of the
issues is complete.

37. Sendmail Ruleset Parsing Buffer Overflow Vulnerability
BugTraq ID: 8649
Remote: Unknown
Date Published: Sep 17 2003
Relevant URL: http://www.securityfocus.com/bid/8649
Summary:
Sendmail is a widely used MTA for Unix and Microsoft Windows systems.

Sendmail has been reported prone to a buffer overflow condition when
parsing non-standard rulesets.

It has been reported that an attacker may trigger a buffer overflow
condition in Sendmail, when Sendmail parses specific rulesets.
Non-standard rulesets recipient(2), final(4) and mailer-specific envelope
recipient may be used as an attack vector to trigger this vulnerability.
It should be noted that Sendmail under a default configuration is not
vulnerable to this condition. It is not currently known, if this
vulnerability may potentially be exploited to execute arbitrary code.
However due to the nature of the condition, although unconfirmed, it has
been conjectured that ultimately an attacker may exploit this condition to
execute arbitrary code in the context of the affected Sendmail server.

It is not currently known if this vulnerability is restricted to local
exploitation or if the issue may also be exploited remotely.

Explicit technical details regarding this vulnerability are not currently
available; this BID will be updated as further details are disclosed.

39. HLSW RCON Console Password Disclosure Weakness
BugTraq ID: 8651
Remote: Yes
Date Published: Sep 18 2003
Relevant URL: http://www.securityfocus.com/bid/8651
Summary:
HLSW RCON Console is used to remotely administer Half-Life and
Counter-Strike game servers.

It has been reported that RCON game server console is prone to a plaintext
password disclosure weakness because user passwords are not encrypted when
exchanged between a client and a server. This issue may allow an attacker
who is in a position to eavesdrop on client-server network traffic to
harvest user authentication information.

Successful exploitation of this weakness may allow a remote attacker to
steal authentication information. The attacker could use this information
to compromise the console. Latent vulnerabilities in the console which
require authentication may also be exploited if the console is
compromised.

Although unconfirmed HLSW versions 1.0.0.8 beta and prior could be prone
to this issue.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ weekly security rep - Sep 30th 2003 unSpawn Linux - Security 4 09-30-2003 08:56 PM
LQ weekly security rep - Sep 18th 2003 unSpawn Linux - Security 4 09-18-2003 05:01 PM
LQ weekly security rep - Sep 10th 2003 unSpawn Linux - Security 3 09-10-2003 01:07 PM
LQ weekly security rep - Tue Mar 25th 2003 unSpawn Linux - Security 4 03-28-2003 06:10 PM
LQ weekly security rep - Mon Nov 25th 2002 unSpawn Linux - Security 3 11-29-2002 08:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration